Search criteria
1 vulnerability by ansibleguy
CVE-2024-36110 (GCVE-0-2024-36110)
Vulnerability from cvelistv5 – Published: 2024-05-28 18:33 – Updated: 2024-08-02 03:30
VLAI
Title
Cross-site scripting in ansibleguy-webui
Summary
ansibleguy-webui is an open source WebUI for using Ansible. Multiple forms in versions < 0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser. These issues have been addressed in version 0.0.21 (0.0.21.post2 on pypi). Users are advised to upgrade. There are no known workarounds for these issues.
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/ansibleguy/webui/security/advi… | x_refsource_CONFIRM |
| https://github.com/ansibleguy/webui/issues/44 | x_refsource_MISC |
| https://github.com/ansibleguy/webui/commit/7737b4… | x_refsource_MISC |
| https://github.com/ansibleguy/webui/files/1535852… | x_refsource_MISC |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| ansibleguy | webui |
Affected:
< 0.0.21
|
|
| ansibleguy | webui |
Affected:
0 , < 0.0.21
(custom)
cpe:2.3:a:ansibleguy:webui:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:ansibleguy:webui:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "webui",
"vendor": "ansibleguy",
"versions": [
{
"lessThan": "0.0.21",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36110",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T20:13:21.843733Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:47:37.934Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:30:12.971Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/ansibleguy/webui/security/advisories/GHSA-927p-xrc2-x2gj",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/ansibleguy/webui/security/advisories/GHSA-927p-xrc2-x2gj"
},
{
"name": "https://github.com/ansibleguy/webui/issues/44",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ansibleguy/webui/issues/44"
},
{
"name": "https://github.com/ansibleguy/webui/commit/7737b47e7f7ddbfec7b1418c724598363718d522",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ansibleguy/webui/commit/7737b47e7f7ddbfec7b1418c724598363718d522"
},
{
"name": "https://github.com/ansibleguy/webui/files/15358522/Report.pdf",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/ansibleguy/webui/files/15358522/Report.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "webui",
"vendor": "ansibleguy",
"versions": [
{
"status": "affected",
"version": "\u003c 0.0.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ansibleguy-webui is an open source WebUI for using Ansible. Multiple forms in versions \u003c 0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus evaluated by the browser. These issues have been addressed in version 0.0.21 (0.0.21.post2 on pypi). Users are advised to upgrade. There are no known workarounds for these issues."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-28T18:33:56.721Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ansibleguy/webui/security/advisories/GHSA-927p-xrc2-x2gj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ansibleguy/webui/security/advisories/GHSA-927p-xrc2-x2gj"
},
{
"name": "https://github.com/ansibleguy/webui/issues/44",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ansibleguy/webui/issues/44"
},
{
"name": "https://github.com/ansibleguy/webui/commit/7737b47e7f7ddbfec7b1418c724598363718d522",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ansibleguy/webui/commit/7737b47e7f7ddbfec7b1418c724598363718d522"
},
{
"name": "https://github.com/ansibleguy/webui/files/15358522/Report.pdf",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ansibleguy/webui/files/15358522/Report.pdf"
}
],
"source": {
"advisory": "GHSA-927p-xrc2-x2gj",
"discovery": "UNKNOWN"
},
"title": "Cross-site scripting in ansibleguy-webui"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-36110",
"datePublished": "2024-05-28T18:33:56.721Z",
"dateReserved": "2024-05-20T21:07:48.186Z",
"dateUpdated": "2024-08-02T03:30:12.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}